Full Report
The BlackLock or Eldorado ransomware gang could be the year’s fastest-growing ransomware-as-a-service group
Analysis Summary
# Threat Actor: BlackLock (RaaS Group)
## Attribution & Identity
* **Name:** BlackLock
* **Aliases:** El Dorado or Eldorado
* **Associated Groups:** Operates as a Ransomware-as-a-Service (RaaS) outfit.
* **Activity Origin:** Active since March 2024.
## Activity Summary
BlackLock is identified as one of the fastest-growing and formidable RaaS groups of 2025, projected by ReliaQuest to potentially become the most active RaaS group of 2025. The group experienced a staggering 1425% quarter-on-quarter increase in data leak posts in Q4 of the previous year. They leverage double extortion tactics. BlackLock maintains tight control over the attack lifecycle, unlike many RaaS operators who delegate early stages.
Specifically, they actively recruit "traffers" to drive malicious traffic and establish initial access for campaigns, prioritizing speed in this recruitment. They also work with trusted Initial Access Brokers (IABs) to accelerate attacks for affiliates, though they may also conduct some direct compromises. Researchers noted massive activity on the RAMP forum, suggesting close collaboration with affiliates, developers, and IABs.
## Tactics, Techniques & Procedures
* **Malware Used:** Custom-built malware (not using leaked Babuk or LockBit builds), which complicates analysis.
* **Extortion:** Employs double extortion tactics.
* **Leak Site Countermeasures:** Implements several data leak site features designed to block researchers and organizations from downloading stolen data, including query detection and providing bogus file responses to pressure victims into paying.
* **Intelligence Gathering/Threat Modeling:** Researchers warn the group may plan to exploit **Microsoft Entra Connect synchronization mechanics** to compromise on-premises environments.
* **Recruitment:** Explicitly recruits "traffers" for early-stage access, prioritizing speed over operational security (OpSec) for these roles. Higher-level roles (developers/programmers) are recruited more discreetly.
## Targeting
* **Sectors:** Not explicitly listed, but the focus on Windows, VMWare ESXi, and Linux indicates targeting of environments running these operating systems (typical of general enterprise/corporate networks).
* **Geography:** Not specified in the provided text.
* **Victims:** No specific victim organizations were named in the summary.
## Tools & Infrastructure
* **Malware Families Used:** Custom BlackLock ransomware variants.
* **Infrastructure (C2, domains, IPs):** No specific C2 infrastructure details (URLs/IPs) were provided in the article summary.
## Implications
BlackLock's rapid growth suggests a highly effective operational model, driven by their centralized control and active recruitment of initial access personnel ("traffers"). The custom malware makes attribution and creation of detection signatures more difficult. Their potential focus on Entra Connect exploitation suggests a pivot toward deeper identity and synchronization layer compromises in 2025, increasing risk to hybrid/on-premises environments. Their use of data leak site blocking mechanisms increases the pressure on victims to pay without fully assessing the breach severity.
## Mitigations
* Harden **Microsoft Entra Connect** attribute synchronization rules.
* Monitor and restrict **key registrations** related to Entra Connect.
* Enforce **Conditional Access policies**.
* Implement **Multi-Factor Authentication (MFA)** across the environment.
* Disable **Remote Desktop Protocol (RDP)** on unnecessary systems.
* For VMWare environments, configure ESXi hosts to enable **strict lockdown mode**.
* Restrict network access and disable other unnecessary services (e.g., SNMP, vMotion).